<!DOCTYPE html>
{% autoescape true %}
<html>
    <head>
        <title>Using HttpOnly Only</title>
        <link href='/css/base.css' rel='stylesheet' type='text/css'></link>
    </head>

    <body>
        <h1>Using HttpOnly Only</h1>
        
        <div>One of the defense against XSS is usign HttpOnly Cookie. In this demo, we demonstrate how to make cookie HttpOnly</div>
        <ul>
            <li>Two tokens are added to the cookie in homepage '/'</li>
            <li>These tokens will be sent between each request until expire</li>
            <li>'token1' is HttpOnly, 'token2' is not. They can be accessed on the server side and render to the templates</li>
            
            <div>token1 = "{{ token1 }}"</div>
            <div>token2 = "{{ token2 }}"</div>
            <br>
            
            <li>Try to type "document.cookie" in the developer console and see what you get.</li>
            <li>Try to set 'secure' flag to your cookies so that it will only be sent over Https</li>
        </ul>       
        
        <a href="/">Home</a>
    </body>
</html>

{% endautoescape %}